summaryrefslogtreecommitdiff
path: root/docs/howto/apache-auth.txt
blob: b3723f92c6ad5c05967e459794c3c01fab10110b (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
=========================================================
Authenticating against Django's user database from Apache
=========================================================

.. warning::

    Support for mod_python has been deprecated within Django. At that
    time, this method of authentication will no longer be provided by
    Django. The community is welcome to offer its own alternate
    solutions using WSGI middleware or other approaches.

Since keeping multiple authentication databases in sync is a common problem when
dealing with Apache, you can configuring Apache to authenticate against Django's
:doc:`authentication system </topics/auth>` directly. For example, you
could:

    * Serve static/media files directly from Apache only to authenticated users.

    * Authenticate access to a Subversion_ repository against Django users with
      a certain permission.

    * Allow certain users to connect to a WebDAV share created with mod_dav_.

.. _Subversion: http://subversion.tigris.org/
.. _mod_dav: http://httpd.apache.org/docs/2.0/mod/mod_dav.html

Configuring Apache
==================

To check against Django's authorization database from a Apache configuration
file, you'll need to use mod_python's ``PythonAuthenHandler`` directive along
with the standard ``Auth*`` and ``Require`` directives:

.. code-block:: apache

    <Location /example/>
        AuthType Basic
        AuthName "example.com"
        Require valid-user

        SetEnv DJANGO_SETTINGS_MODULE mysite.settings
        PythonAuthenHandler django.contrib.auth.handlers.modpython
    </Location>

.. admonition:: Using the authentication handler with Apache 2.2

    If you're using Apache 2.2, you'll need to take a couple extra steps.

    You'll need to ensure that ``mod_auth_basic`` and ``mod_authz_user``
    are loaded. These might be compiled statically into Apache, or you might
    need to use ``LoadModule`` to load them dynamically (as shown in the
    example at the bottom of this note).

    You'll also need to insert configuration directives that prevent Apache
    from trying to use other authentication modules, as well as specifying
    the ``AuthUserFile`` directive and pointing it to ``/dev/null``. Depending
    on which other authentication modules you have loaded, you might need one
    or more of the following directives:

    .. code-block:: apache

        AuthBasicAuthoritative Off
        AuthDefaultAuthoritative Off
        AuthzLDAPAuthoritative Off
        AuthzDBMAuthoritative Off
        AuthzDefaultAuthoritative Off
        AuthzGroupFileAuthoritative Off
        AuthzOwnerAuthoritative Off
        AuthzUserAuthoritative Off

    A complete configuration, with differences between Apache 2.0 and
    Apache 2.2 marked in bold, would look something like:

    .. parsed-literal::

        **LoadModule auth_basic_module modules/mod_auth_basic.so**
        **LoadModule authz_user_module modules/mod_authz_user.so**

        ...

        <Location /example/>
            AuthType Basic
            AuthName "example.com"
            **AuthUserFile /dev/null**
            **AuthBasicAuthoritative Off**
            Require valid-user

            SetEnv DJANGO_SETTINGS_MODULE mysite.settings
            PythonAuthenHandler django.contrib.auth.handlers.modpython
        </Location>

By default, the authentication handler will limit access to the ``/example/``
location to users marked as staff members.  You can use a set of
``PythonOption`` directives to modify this behavior:

    ================================  =========================================
    ``PythonOption``                  Explanation
    ================================  =========================================
    ``DjangoRequireStaffStatus``      If set to ``on`` only "staff" users (i.e.
                                      those with the ``is_staff`` flag set)
                                      will be allowed.

                                      Defaults to ``on``.

    ``DjangoRequireSuperuserStatus``  If set to ``on`` only superusers (i.e.
                                      those with the ``is_superuser`` flag set)
                                      will be allowed.

                                      Defaults to ``off``.

    ``DjangoPermissionName``          The name of a permission to require for
                                      access. See :ref:`custom permissions
                                      <custom-permissions>` for more
                                      information.

                                      By default no specific permission will be
                                      required.
    ================================  =========================================

Note that sometimes ``SetEnv`` doesn't play well in this mod_python
configuration, for reasons unknown. If you're having problems getting
mod_python to recognize your ``DJANGO_SETTINGS_MODULE``, you can set it using
``PythonOption`` instead of ``SetEnv``. Therefore, these two Apache directives
are equivalent::

    SetEnv DJANGO_SETTINGS_MODULE mysite.settings
    PythonOption DJANGO_SETTINGS_MODULE mysite.settings